From healthcare to the education industry, cyberattackers are on the prowl. Read on to know more…
After the outbreak of coronavirus — from healthcare to the education industry, cyberattackers are gaining a foothold in every landscape. Hackers and threat groups have consistent goals with long-standing priorities such as cyberespionage and “hack-and-leak” operations. Disguised as trusted entities, APT groups and cybercriminals are capitalizing on the COVID-19 pandemic by deploying a wide variety of ransomware and other malware. Their ill-natured maneuvers include leveraging coronavirus-themed phishing text/emails or malicious applications.
Coronovirus Based Cyberattacks
In the last few weeks, the number of cyberattacks has skyrocketed. For instance, a series of SMS messages were found to use a UK government-themed lure to collect email, address, name, and banking information. Claiming to be from “UKGOV”, these SMS messages included a direct link to the phishing site.
Besides, the National Cyber Security Centre (NCSC) observed several emails leveraging the “Agent Tesla” keylogger malware. This email campaign started around mid-March and seemed to be sent from Dr. Tedros Adhanom Ghebreyesus, Director-General, WHO. A similar campaign was espied offering thermometers and face masks to deal with the COVID-19 outbreak. The email appears to have attached images of these medical products but instead carries a loader for Agent Tesla.
In other campaigns, emails enclosed a Microsoft Excel attachment (e.g., “8651 8-14-18.xls”) or included URLs to a page that contained a button that — if clicked — redirects to download an Excel spreadsheet, such as “EMR Letter.xls”. In both cases, the Excel file contained macros that, if enabled, execute an embedded dynamic-link library (DLL) to install the “Get2 loader” malware, which has been observed loading the “GraceWire” Trojan.
Also, the “TrickBot” malware has been exploited in diverse COVID-19-related campaigns. For example, emails targeted Italian users with a document appearing to be information related to the coronavirus. The document enclosed a malicious macro that is capable of downloading a batch file (BAT) and launching JavaScript, which pulls down the TrickBot binary, executing it on the system.
Several organizations have suddenly deployed new networks and IT infrastructure, including VPNs to move their entire workforce to work from home. Cyberattackers are taking advantage of it and looking for ways to exploit the increased use of communications platforms such as Microsoft Teams or Zoom by sending phishing emails containing malicious files with names such as “zoom-us-zoom_##########[.]exe” and “microsoft-teams_V#mu#D_##########[.]exe”.\
Mitigation
In order to keep the attackers at bay, several government security agencies such as FBI, DHS, CISA, and NCSC have stepped in and issued security guidances for a better security posture of individuals and organizations. Let’s learn about the different guidelines set out by the government security bodies. This joint advisory from the DHS CISA, and NCSC provides information on exploitation by cyberattackers and APT groups of the COVID-19 global pandemic. It includes a comprehensive list of IOCs for detection and mitigation advice. The NCSC and CISA are working collaboratively with law enforcement and industry partners to disrupt or prevent these malicious COVID-19 themed attacks.
The NCSC’s suspicious email guidance explains whom to contact if your account/device has been compromised and some of the mitigation steps you can take, such as changing your passwords. It also outlines tips for identifying a phishing email. Organizations that broaden their defenses to include extensive technical measures can improve resilience against phishing attacks. In addition, organizations should consider NCSC’s guidance that divides mitigations into four layers. According to CISA guidelines, companies can help their users identify and report suspected phishing emails.